• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Plugx Delivered by Covid-Themed Documents
March 19, 2020
Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky
March 20, 2020

Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky

March 20, 2020

Severity

High

Analysis Summary

As news spread that COVID’19 patients recently got shot in North Korea, The Kimsuky APT group from North Korea used the controversy to trap curious victims. The APT is spreading a .doc document titled “COVID-19 and North Korea” to lure its targets into opening the malicious document. Apart from the document, other indicators of compromise have also been retrieved that indicate an infection chain from the Kimsuky APT group. The Kimsuky group is a North Korean APT group, also known by other names including Velvet Chollima and Black Banshee, and sometimes perceived to be state-sponsored, generating revenues with its malicious activities.  

Impact

  • Information theft
  • Credential Theft
  • Exposure of sensitive information

Indicators of Compromise

Filename

COVID-19 and North Korea[.]docx

Hostname

crphone[.]mireene[.]com
mybobo[.]mygamesonline[.]org

MD5

a4388c4d0588cd3d8a607594347663e0

SHA-256

7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015

SHA1

b066369bbd48b7858f2c1eed1e78d85c8ae4cdb6

URL

  • http[:]//crphone[.]mireene[.]com/plugin/editor/Templates/normal[.]php?name=web
  • http[:]//crphone[.]mireene[.]com/plugin/editor/Templates/
  • http[:]//crphone[.]mireene[.]com/plugin/editor/
  • http[:]//mybobo[.]mygamesonline[.]org/flower01/post[.]php
  • http[:]//mybobo[.]mygamesonline[.]org/flower01/flower01[.]down

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download Corona-related files from any random source.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.